Eap-tls limitations – Cisco 3.3 User Manual
Page 386
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-6
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
To force an EAP-TLS session to end before the session timeout is reached, either
restart the CSAuth service or delete the user from the CiscoSecure user database
CiscoSecure user database. Disabling or deleting the user in an external user
database has no effect because the session resume feature does not involve the use
of external user databases.
You can enable the EAP-TLS session resume feature and configure the timeout
interval on the Global Authentication Setup page. For more information about
enabling this feature, see
Global Authentication Setup, page 10-26
.
EAP-TLS Limitations
The Cisco Secure ACS implementation of EAP-TLS has the following
limitations:
•
Server and CA certificate file format—If you install the Cisco Secure ACS
server and CA certificates from files rather than from certificate storage,
server and CA certificate files must be in either Base64-encoded X.509
format or DER-encoded binary X.509 format.
•
LDAP attribute for binary comparison—If you configure Cisco Secure
ACS to perform binary comparison of user certificates, the user certificate
must be stored in Active Directory or an LDAP server, using a binary format.
Also, the attribute storing the certificate must be named “usercertificate”.
•
Windows server type—If you want to use Active Directory to authenticate
users with EAP-TLS when Cisco Secure ACS runs on a member server,
additional configuration is required. For more information, including steps
for the additional configuration, see Installation Guide for Cisco Secure ACS
for Windows Server.
Additionally, if Cisco Secure ACS receives traffic from a wireless access point
that has the wrong shared secret, the error message logged in the failed attempts
log reads “EAP request has invalid signature”. Three conditions that might cause
this to occur are the following:
•
The wrong signature is being used.
•
A RADIUS packet was corrupted in transit.
•
Cisco Secure ACS is being attacked.